Fake Google Notes Extension Steals Cryptocurrency by Secretly Replacing Wallet Addresses

01.07.2026 5 minutes Author: Newsman

Cybersecurity researchers have uncovered an active campaign called Silent Swap targeting cryptocurrency users. Instead of hacking exchanges or wallets, the attackers install a malicious browser extension that silently replaces a wallet address during a crypto transaction.

According to McAfee Labs, the campaign is distributed through unsigned installers written in .NET and Golang. These installers deploy a malicious extension for Chromium-based browsers while disguising it as a legitimate utility called Google Notes.

The .NET installer, known as BaseZipInstaller, scans the victim’s system for Chromium-based browsers. Once it finds them, it forcibly terminates each browser process and modifies the Secure Preferences and Preferences files to silently install the malicious extension.

The extension’s primary purpose is to function as a crypto clipper. It monitors the system clipboard and automatically replaces copied cryptocurrency wallet addresses with ones controlled by the attackers. To do this, it requests permission to access the clipboard, browsing history, and all websites the user visits.

Because blockchain transactions are generally irreversible, a single wallet address swap can result in permanent financial loss. Researchers also found links between Silent Swap and the previously documented CountLoader campaign, which deployed a similar crypto clipper. The evidence suggests that both operations are likely run by the same threat actor.

One of Silent Swap’s most distinctive features is its use of EtherHiding. Instead of relying on a traditional command-and-control (C2) server, the malicious extension queries a blockchain smart contract to retrieve the active C2 address. This allows the attackers to change their infrastructure simply by updating the smart contract, without redeploying the malware itself.

Another notable aspect of the campaign is how the extension is installed. It embeds itself into Google Chrome, Microsoft Edge, Brave, Vivaldi, and other Chromium-based browsers by modifying protected browser configuration files. On newer browser versions, the attack also relies on social engineering techniques to convince users to enable Developer Mode.

As McAfee Labs explains, Chromium-based browsers use hash values and HMAC verification to detect unauthorized changes to critical settings. After modifying the configuration files, the malware recalculates these security values, making the browser believe the malicious extension was installed legitimately.

As a result, the extension bypasses the normal installation process through the official extension store and loads without requiring any approval from the user.

The malware also includes multiple persistence mechanisms designed to make detection and removal more difficult. Instead of relying on traditional startup methods, it modifies browser configuration files so the malicious extension is automatically loaded every time the browser launches.

In addition, the malware attempts to automatically enable Developer Mode in Brave and Opera. Once the installation is complete, the installer deletes itself, removing one of the main indicators of compromise.

The wallet replacement process is also dynamic. After intercepting a copied cryptocurrency wallet address, the extension sends it to an attacker-controlled server, which returns a replacement address. If the server is temporarily unavailable, the malware falls back to a hardcoded backup wallet address to ensure the attack continues uninterrupted.

For Bitcoin, Ethereum, Bitcoin Cash, Ripple, and Dash, the server generates a unique attacker-controlled wallet address for each victim. In contrast, all Solana wallet addresses are replaced with the same destination wallet, which held a balance of $1,902.45 at the time of the analysis.

Researchers also found that the mapping process is deterministic. If the same original wallet address is submitted again, the server returns the same replacement address, indicating that each victim is assigned a consistent one-to-one wallet mapping.

Telemetry data shows that the campaign has spread worldwide. The highest number of infections was recorded in India, with additional victims identified in the United States, Brazil, Indonesia, and Spain.

According to the researchers, the campaign reflects the evolution of cryptocurrency theft. Instead of using a single static wallet address, the attackers now rely on server-side, per-victim wallet mapping while replacing traditional command-and-control infrastructure with blockchain-based services.

Researchers also uncovered another threat involving two malicious browser extensions named VPN Go: Free VPN for Google Chrome and Mozilla Firefox. Although they appear to function as free VPN services, they secretly monitor the system clipboard and transmit copied data to attacker-controlled servers.

These extensions can steal far more than cryptocurrency wallet addresses, including passwords, two-factor authentication codes, API keys, OAuth tokens, and cryptocurrency seed phrases.

Analysis revealed that the developer initially published completely legitimate versions of the extensions before introducing clipboard-stealing functionality in later updates. For Chrome, the malicious code first appeared in versions 1.1 and 1.2, while version 1.3 switched to a different data exfiltration server. In the Firefox version, the clipboard stealer was first introduced in version 1.3.3, followed by an infrastructure change in version 1.3.4.

Researchers recommend that anyone who has installed VPN Go: Free VPN should remove the extension immediately and treat all sensitive information handled while it was active as compromised.

They also warn that even if the VPN functionality appears to work as advertised, it actually increases the security risk. The extension can route browser traffic through attacker-controlled infrastructure, expose unencrypted HTTP traffic and connection metadata, and silently steal clipboard data at the same time.

Subscribe
Notify of
0 Коментарі
Oldest
Newest Most Voted
Found an error?
If you find an error, take a screenshot and send it to the bot.